Mailinglist Archive: opensuse-buildservice (140 mails)

< Previous Next >
Re: [opensuse-buildservice] adding checksums to the buildinfo
On 2012-07-18 07:28:03 +0200, Adrian Schröter wrote:
Am Mittwoch, 18. Juli 2012, 00:10:20 schrieb Marcus Hüwe:
On 2012-07-17 23:14:59 +0200, Adrian Schröter wrote:

<SNIP>

Where do you see a security problem?

Well it's rather an issue with the current workflow:
- ask user if he "trusts" the project(s)
- download the pubkey(s) from the api
- check gpg signature of the packages

The user doesn't verify if the received pubkey is a "correct"/expected
key. That is the performed gpg check is just some kind of integrity check
(we do not verify authenticity - just that the package was signed with
"some" key (which is delivered by the api)).

Right, but the api is verified via the SSL certificate. So you trust the
server that it hands you the right key for the project.

With the same argument we can trust a "simple" hash value too:)

IMHO we can achieve the same by using some hash value (unless we make the
workflow from above more complex). The advantage is that this works
for all binarytypes (rpm, deb, arch).

Yes, thinkable with some strong SHA key. But it will fail, when it downloads
noarch packages
from mirrors (just one noarch package is there and thank to murphy always the
one
from the other architecture). Also packages from Export filters will be a
problem then.

Ah good point - I didn't think about this:)
As a fallback osc could fetch a package from the api if hash of the
downloaded package doesn't match but this is rather ugly... I agree
that a signature helps in this case:)


Marcus
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >